EP3327702B1 - Secure computation device, method therefor, and program - Google Patents

Secure computation device, method therefor, and program Download PDF

Info

Publication number
EP3327702B1
EP3327702B1 EP16827784.6A EP16827784A EP3327702B1 EP 3327702 B1 EP3327702 B1 EP 3327702B1 EP 16827784 A EP16827784 A EP 16827784A EP 3327702 B1 EP3327702 B1 EP 3327702B1
Authority
EP
European Patent Office
Prior art keywords
value
meta information
value according
secret computation
computation apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16827784.6A
Other languages
German (de)
English (en)
French (fr)
Other versions
EP3327702A1 (en
EP3327702A4 (en
Inventor
Dai Ikarashi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Publication of EP3327702A1 publication Critical patent/EP3327702A1/en
Publication of EP3327702A4 publication Critical patent/EP3327702A4/en
Application granted granted Critical
Publication of EP3327702B1 publication Critical patent/EP3327702B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/46Secure multiparty computation, e.g. millionaire problem
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption

Definitions

  • the present invention relates to a technical field of secret computation.
  • Non-patent Literature 1 A technique of performing secret computation based on replicated secret sharing is known (for example, see Non-patent Literature 1).
  • Non-patent Literature 2 relates to secure multiparty computation, and in particular to secure sum computation.
  • parties are allowed to compute the sum while keeping their individual data secret, with increased computation complexity for illicitly obtaining individual data.
  • the data of the individual party is segmented into a fixed number of segments.
  • each secret computation apparatus performs secret computation using values received from the other secret computation apparatuses.
  • each secret computation apparatus can acquire a part of values to be received from the other secret computation apparatuses in advance. In such a case, it is inefficient to transfer all the values among the secret computation apparatuses.
  • a subject of the present invention is to improve efficiency of the scheme in which each secret computation apparatus performs secret computation using values received from other secret computation apparatuses.
  • the present invention provides secret computation apparatus, secret computation methods, and corresponding programs, having the features of the respective independent claims. Preferred embodiments are described in the dependent claims.
  • a secret computation apparatus stores an assigned share which is a proper subset of a subshare set with a plurality of subshares as elements, and meta information indicating values according to the elements of the subshare set or indicating that the elements are concealed values. If a value according to a provided corresponding value according to a subset of the assigned share is not obtained from the meta information, the secret computation apparatus outputs a provided value according to the provided corresponding value obtained from the subset of the assigned share.
  • the secret computation apparatus accepts input of an acquired value according to the acquired corresponding value. If the acquired value is inputted, the secret computation apparatus obtains a secret share value at least using the acquired value.
  • each of a plurality of secret computation apparatuses obtains a secret share value of an operation result according to "an input value".
  • the input value is secretly shared in accordance with a replicated secret sharing scheme. That is, “the input value” is a function value of a plurality of subshares (for example, an addition value, an addition/subtraction value or the like), and a proper subset of " a subshare set” with the plurality of the subshares as elements is assigned to each secret sharing apparatus as a share (a secret share value of "the input value”).
  • a secret share value of "the input value” there may be a case where values according to a part of the subshares are already known to each secret sharing apparatus.
  • a value according to ⁇ may be a itself or may be a function value of ⁇ .
  • the value according to ⁇ is, for example, a value corresponding to ⁇ .
  • the operation result according to an input value may be the input value itself or may be a function value of the input value. According to such a situation, "meta information” indicating values according to elements of "the subshare set” or indicating that the elements are concealed values is set.
  • the provided value according to the provided corresponding value may be the provided corresponding value themselves or may be a function value of the provided corresponding value.
  • the secret computation apparatus does not have to output “the provided value” to the other secret computation apparatuses.
  • a value according to "an acquired corresponding value” according to a subset of "an external assigned share”, which is a proper subset of "the subshare set” is not obtained from “the meta information”
  • "an acquired value” according to "the acquired corresponding value” is inputted to the secret computation apparatus.
  • the external assigned share means a share assigned to another secret computation apparatus.
  • the acquired corresponding value according to the subset may be the subset itself or may be a function value of the subset.
  • the acquired value according to the acquired corresponding value may be the acquired corresponding value itself or may be a function value of the acquired corresponding value.
  • the secret computation apparatus obtains "the secret share value as the operation result according to the input value” using at least “the acquired value”. Thereby, it is possible to reduce the number of times of transferring values among the secret computation apparatuses and improve efficiency.
  • the second input value is also secretly shared in accordance with the replicated secret sharing scheme similarly to "the input value”. That is, “the second input value” is a function value of a plurality of second subshares, and a proper subset of "a second subshare set” with the plurality of second subshares as elements is assigned to each secret sharing apparatus as a second share (a secret share value of "the second input value”).
  • the second input value is a function value of a plurality of second subshares, and a proper subset of "a second subshare set” with the plurality of second subshares as elements is assigned to each secret sharing apparatus as a second share (a secret share value of "the second input value”).
  • values according to a part of the second subshares are already known to each secret sharing apparatus.
  • second meta information indicating values according to elements of "the second subshare set” or indicating that the elements are concealed values is set. Elements for which "the values according to the elements" are represented by “the second meta information” can be identified from “the second meta information”. Elements for which it is indicated by “the second meta information” that "the elements are concealed values” cannot be identified from “the second meta information”.
  • a second assigned share” and “the second meta information” are stored.
  • the secret computation apparatus When a value according to "a provided corresponding value” according to the subset of “the assigned share” and a subset of “the second assigned share” is not obtained from “the meta information" and "the second meta information, the secret computation apparatus outputs "a provided value” according to "the provided corresponding value” obtained from the subset of "the assigned share” and the subset of "the second assigned share” to the other secret computation apparatuses.
  • an operation result is a multiplication result ab between an input value a and a second input value b
  • three secret computation apparatuses perform secret computation of the multiplication ab.
  • the secret computation apparatus stores an assigned share (a 0P , a 1P ) which is a proper subset of a subshare set (a 0P , a 1P , a 2P ), meta information A indicating values according to elements of the subshare set (a 0P , a 1P , a 2P ) or indicating that the elements are concealed values, a second assigned share (b 0P , b 1P ) which is a proper subset of a second subshare set (b 0P , b 1P , b 2P ), and second meta information B indicating values according to elements of the second subshare set (b 0P , b 1P , b 2P ) or indicating that the elements are concealed values.
  • the secret computation apparatus When a value according to a provided corresponding value a 0P b 1P +a 1P b 0P is not obtained from the information A and B, the secret computation apparatus performs communication for sharing a first arbitrary value r P with an external secret computation apparatus (a first secret computation apparatus). Otherwise, the communication for sharing the first arbitrary value rp is unnecessary.
  • the secret computation apparatus When a value according to a 2P b 0P +a 0P b 2P is not obtained from the information A and B, the secret computation apparatus performs communication for sharing a second arbitrary value rp- with an external secret computation apparatus (a second secret computation apparatus). Otherwise, the communication for sharing the second arbitrary value r P- is unnecessary.
  • the lower subscript "P" corresponds to the present secret computation apparatus; the lower subscript "P+” corresponds to the first secret computation apparatus; and the lower subscript "P-” corresponds to the second secret computation apparatus.
  • the secret computation apparatus accepts input of an acquired value c P+ .
  • a' 0P , a' 1P , b' 0P and b' 1P are values according to a 0P , a 1P , b 0P and b 1P , respectively.
  • c 0P and c 1P are secret share values of the multiplication result ab.
  • C 0P , C 1P , C 2P are meta information about secret share values of the multiplication result ab.
  • a' 0P is the value indicated by the meta information A.
  • a' 1P is the value indicated by the meta information A.
  • the meta information B indicates a value according to b 0P
  • b' 0P is the value indicated by the meta information B.
  • the meta information B indicates a value according to b 1P
  • b' 1P is the value indicated by the meta information B.
  • the operation result is an operation result ⁇ n ⁇ 0,...,N-1 ⁇ a(n)b(n) between an input value ⁇ a(0), ..., a(N-1) ⁇ and a second input value ⁇ b(0), ..., b(N-1) ⁇ (n ⁇ 0, ..., N-1 ⁇ , N ⁇ 1), and secret computation of the operation ⁇ n ⁇ 0, ...,N-1 ⁇ a(n)b(n) is performed by three secret computation apparatuses.
  • " ⁇ n ⁇ 0, ...,N-1 ⁇ ⁇ (n)" indicates " ⁇ (0)+...+ ⁇ (N-1)".
  • the secret computation apparatus stores an assigned share (a 0P (n), a 1P (n)) which is a proper subset of a subshare set (a 0P (n), a 1P (n), a 2P (n)), meta information A indicating values according to elements of the subshare set (a 0P (n), a 1P (n), a 2P (n)) or indicating that the elements are concealed values, a second assigned share (b 0P , b 1P ) which is a proper subset of a second subshare set (b 0P (n), b 1P (n), b 2P (n)), and second meta information B indicating values according to elements of the second subshare set (b 0P (n), b 1P (n), b 2P (n)) or indicating that the elements are concealed values.
  • the secret computation apparatus When a value according to a provided corresponding value ⁇ n ⁇ 0, ..., N-1 ⁇ ⁇ a 0P (n)b 1P (n)+a 1P (n)b 0P (n) ⁇ is not obtained from the meta information A and B, the secret computation apparatus performs communication for sharing a first arbitrary value rp with an external secret computation apparatus (a first secret computation apparatus). Otherwise, the communication for sharing the first arbitrary value rp is unnecessary.
  • the secret computation apparatus When a value according to ⁇ n ⁇ 0, ..., N-1 ⁇ ⁇ a 2P (n)b 0P (n)+a 0P (n)b 2P (n) ⁇ is not obtained from the meta information A and B, the secret computation apparatus performs communication for sharing a second arbitrary value r P- with an external secret computation apparatus (a second secret computation apparatus). Otherwise, the communication for sharing the second arbitrary value r P- is unnecessary.
  • a' 0P (n), a' 1P (n), b' 0P (n) and b' 1P (n) are values according to a 0P (n), a 1P (n), b 0P (n) and b 1P (n), respectively.
  • c 0P and c 1P are secret share values of the multiplication result ⁇ n ⁇ 0, ..., N-1 ⁇ a(n)b(n).
  • the secret computation apparatus obtains the value according to ⁇ n ⁇ 0 ,..., N-1 ⁇ ⁇ a 0P (n)b 0P (n)+a 0P (n)b 1P (n)+a 1P (n)b 0P (n) ⁇ and sets the value as C 0P .
  • the secret computation apparatus obtains the value according to ⁇ n ⁇ 0, ..,N-1 ⁇ ⁇ a 1P (n)b 1P (n)+a 1P (n)b 2P (n)+a 2P (n)b 1P (n) ⁇ and sets the value as C 1P .
  • the secret computation apparatus obtains the value according to ⁇ n ⁇ 0, ..., N-1 ⁇ ⁇ a 2P (n)b 2P (n)+a 2P (n)b 0P (n)+a 0P (n)b 2P (n) ⁇ from the meta information A and B and sets the value as C 2P.
  • C 0P , C 1P , C 2P are meta information about the secret share values of the operation result ⁇ n ⁇ 0, ...,N-1 ⁇ a(n)b(n).
  • the secret share values of the operation result ⁇ n ⁇ 0, ..., N-1 ⁇ a(n)b(n) include c 0P
  • the secret share values of the operation result ⁇ n ⁇ 0, ..., N-1 ⁇ a(n)b(n) include c 1P .
  • a' 0P (n) is the value indicated by the meta information A.
  • a' 1P (n) is the value indicated by the meta information A.
  • the meta information B indicates a value according to b 0P (n)
  • b' 0P (n) is the value indicated by the meta information B.
  • the meta information B indicates a value according to b 1P (n)
  • b' 1P (n) is the value indicated by the meta information B.
  • a secret computation system 1 of the present embodiment has three secret computation apparatuses 11-0, 11-1 and 11-2, and these are configured to be communicable via a network such as the Internet.
  • the operation part 112-P has processing parts 1120-P to 112A-P.
  • the secret computation apparatus 11-P is configured, for example, by a general-purpose or dedicated computer provided with a processor (a hardware processor) such as a CPU (central processing unit) and a memory such as a RAM (random-access memory) and a ROM (read-only memory), and the like executing a predetermined program.
  • the computer may be provided with one processor and one memory or may be provided with a plurality of processors and memories.
  • the program may be installed into the computer or may be recorded in a ROM or the like in advance.
  • a part or all of the processing parts may be configured not with an electronic circuitry that realizes a functional configuration by a program being read, like the CPU, but with an electronic circuitry that realizes processing functions without using a program.
  • an electronic circuitry constituting one secret computation apparatus 11-m may comprise a plurality of CPUs.
  • Each process executed by the secret computation apparatus 11-P is executed under the control of the controller 113-P, and information obtained by each process is stored into a temporary memory (not shown). The information stored into the temporary memory is read and used as necessary.
  • secret computation of multiplication ab between an input value a and an input value b is performed.
  • the input value b is a function value of the subshares b 1 , b 2 , b 3 .
  • a 0P a 1(P-1mod3)
  • Other proper subsets (a 0P , a 2P ) and (a 1P , a 2P ) of the subshare set (a 0P , a 1P , a 2P ) will be called "external assigned shares".
  • b 0P b 1(P-1 mod3)
  • b 1P b 0(P+1 mod3) are satisfied.
  • shares that are not assigned thereto are "the external assigned shares”.
  • meta information B indicating values according to the elements of the subshare set (b 0P , b 1P , b 2P ) or indicating that the elements are concealed values
  • a JP are elements of a set R with values that the input value a can take as elements.
  • a JP are elements of such a domain R' that a range of a function f belongs to the set R.
  • the function f is, for example, a homomorphism function.
  • the amount of data of the elements of the domain R' may be smaller than the amount of data of the elements of the set R.
  • Any information that indicates such values A 0P , A 1P , A 2P may be made to be the meta information A.
  • a set (A 0P , A 1P , A 2P ) with values A 0P , A 1P , A 2P as elements may be made to be the meta information A; one value indicating the set (A 0P , A 1P , A 2P ) may be made to be the meta information A; or a set of values each of which indicates a subset with a plurality of elements of the set (A 0P , A 1P , A 2P ) may be made to be the meta information A.
  • any information that indicates values B 0P , B 1P , B 2P may be made to be the meta information B.
  • the sharing part 114-P of the secret computation apparatus 11-P performs processing according to whether x 01 corresponding to the meta information A and B stored in the storage 111-P is true (T) or false (F).
  • a JP B KP
  • a JP B KP ⁇ R or A JP , B KP ⁇ R' A JP B KP ⁇ is satisfied, and, in the case of A KP , B JP ⁇ R or A KP , B JP ⁇ R', A KP B JP ⁇ is satisfied.
  • the sharing part 114-P performs communication for sharing an arbitrary value rp with an external secret computation apparatus 11-(P+1 mod3).
  • the arbitrary value rp may be a random number, a pseudorandom number or a constant.
  • the sharing part 114-P stores the generated or selected arbitrary value rp into the storage 111-P and sends it to the communication part 115-P.
  • the communication part 115-P transmits the arbitrary value rp to the secret computation apparatus 11-(P+1 mod3).
  • the arbitrary value r P- may be a random number, a pseudorandom number or a constant.
  • a sharing part 114-(P-1 mod3) of the secret computation apparatus 11-(P-1 mod3) stores the generated or selected arbitrary value r P- into a storage 111-(P-1 mod3) and sends it to a communication part 115-(P-1 mod3).
  • the communication part 115-(P-1 mod3) transmits the arbitrary value rp- to the secret computation apparatus 11-P.
  • the arbitrary value rp- is inputted to the sharing part 114-P, and the sharing part 114-P stores the arbitrary value r P- into the storage 111-P (step S104). After that, the process proceeds to step S105.
  • the process proceeds to step S105 without executing step S104.
  • the provided value cp is transmitted from the communication part 115-P to the external secret computation apparatus 11-(P-1 mod3).
  • the provided value cp is inputted to the communication part 115-(P-1 mod3) of the secret computation apparatus 11-(P-1 mod3) and stored into the storage 111-(P-1 mod3) (step S107). After that, the process proceeds to step S110.
  • x 01 F
  • the process proceeds to step S110 without executing steps S106 and S107.
  • C 0P is the value according to a 0P b 0P +a 0P b 0P +a 1P b 0P .
  • C 1P is the value according to a 1P b 1P +a 1P b 2P +a 2P b 1P .
  • C 2P is the value according to a 2P b 2P +a 2P b 0P +a 0P b 2P.
  • the processing part 112A-P of the operation part 112-P performs processing according to whether A 0P corresponding to the meta information A stored in the storage 111-P is true (T) or false (F) (step S117).
  • the processing part 112A-P performs processing according to whether A 1P corresponding to the meta information A stored in the storage 111-P is true (T) or false (F) (step S120).
  • the processing part 112A-P performs processing according to whether B 0P corresponding to the meta information B stored in the storage 111-P is true (T) or false (F) (step S123).
  • the processing part 112A-P performs processing according to whether B 1P corresponding to the meta information B stored in the storage 111-P is true (T) or false (F) (step S126).
  • the operation part 112-P outputs C 0P , C 1P , C 2P.
  • C 0P , C 1P , C 2P are meta information about the secret share values of the operation result ab.
  • c 0P and c 1P are secret share values of the operation result ab.
  • the present embodiment it is possible to reduce the number of times of transmission/reception of values among the secret computation apparatuses 11-P according to values indicated by meta information A and B. Further, in the case where operation of a value that is not required to be transmitted or received any more can be omitted, the amount of operation can be also reduced. Furthermore, in the case where the amount of operation using the meta information is smaller than the amount of operation using shares also, it is possible to reduce the amount of operation.
  • a secret computation system 2 of the present embodiment has three secret computation apparatuses 21-0, 21-1 and 21-2, and these are configured to be communicable via a network such as the Internet.
  • the operation part 212-P has processing parts 2120-P to 212A-P.
  • the secret computation apparatus 21-P is configured, for example, by the computer described before executing a predetermined program. Each process executed by the secret computation apparatus 21-P is executed under control of the controller 213-P, and information obtained by each process is stored into a temporary memory (not shown). The information stored into the temporary memory is read and used as necessary.
  • secret computation of product-sum operation ⁇ n ⁇ 0, ..., N-1) a(n)b(n) between an input value ⁇ a(0), ..., a(N-1) ⁇ and an input value ⁇ b(0), ..., b(N-1) ⁇ is performed.
  • a share (a 0P (n), a 1P (n))(an assigned share), which is a proper subset of a subshare set (a 0P (n), a 1P (n), a 2P (n)) with three subshares a 0P (n), a 1P (n), a 2P (n) as elements, is assigned.
  • a share (b 0P (n), b 1P (n)) (an assigned share), which is a proper subset of a subshare set (b 0P (n), b 1P (n), b 2P (n)) with three subshares b 0P (n), b 1P (n), b 2P (n) as elements, is assigned.
  • b 0P (n) b 1 (n)( P-1 mod3)
  • shares that are not assigned thereto are "the external assigned shares”.
  • the shares (a 0P (n), a 1P (n)) and (b 0P (n), b 1P (n)) (assigned shares) are stored ( Fig. 8 ).
  • Meta information A indicating values according to the elements of the subshare set (a 0P (n), a 1P (n), a 2P (n)) or indicating that the elements are concealed values
  • meta information B indicating values according to the elements of the subshare set (b 0P (n), b 1P (n), b 2P (n)) or indicating that the elements are concealed values are set.
  • the function f is, for example, a homomorphism function.
  • a JP (n) are elements of a set R with values that the input value a(n) can take as elements.
  • a JP (n) are elements of such a domain R' that a range of a function f belongs to the set R.
  • any information that indicates values B 0P (n), B 1P (n), B 2P (n) may be made to be the meta information B.
  • the sharing part 214-P of the secret computation apparatus 21-P performs processing according to whether x 01 corresponding to the meta information A and B stored in the storage 211-P is true (T) or false (F).
  • the sharing part 214-P performs communication for sharing an arbitrary value r P with an external secret computation apparatus 21-(P+1 mod3).
  • the sharing part 214-P stores the generated or selected arbitrary value rp into the storage 211-P and sends it to the communication part 215-P.
  • the communication part 215-P transmits the arbitrary value rp to the secret computation apparatus 21-(P+1 mod3).
  • the arbitrary value r P- may be a random number, a pseudorandom number or a constant.
  • a sharing part 214-(P-1 mod3) of the secret computation apparatus 21-(P-1 mod3) stores the generated or selected arbitrary value rp- into a storage 211-(P-1 mod3) and sends it to a communication part 215-(P-1 mod3).
  • the communication part 215-(P-1 mod3) transmits the arbitrary value r P- to the secret computation apparatus 21-P.
  • the arbitrary value r P- is inputted to the sharing part 214-P, and the sharing part 214-P stores the arbitrary value r P- into the storage 211-P (step S204). After that, the process proceeds to step S205.
  • the provided value cp is transmitted from the communication part 215-P to the external secret computation apparatus 21-(P-1 mod3).
  • the provided value cp is inputted to the communication part 215-(P-1 mod3) of the secret computation apparatus 21-(P-1 mod3) and stored into the storage 211-(P-1 mod3) (step S207). After that, the process proceeds to step S210.
  • x 01 F
  • the process proceeds to step S210 without executing steps S206 and S207.
  • C 0P is the value according to ⁇ n ⁇ 0, ...,N-1 ⁇ ⁇ a 0P (n)b 0P (n)+a 0P (n)b 1P (n)+a 1P (n)b 0P (n) ⁇ .
  • C 1P is the value according to ⁇ n ⁇ 0, ..., N-1 ⁇ ⁇ a 1P (n)b 1P (n)+a 1P (n)b 2P (n)+a 2P (n)b 1P (n) ⁇ .
  • C 2P is the value according to ⁇ n ⁇ 0, ..., N-1 ⁇ ⁇ a 2P (n)b 2P (n)+a 2P (n)b 0P (n)+a 0P (n)b 2P (n) ⁇ .
  • the processing part 212A-P of the operation part 212-P performs processing according to whether A 0P (n) corresponding to the meta information A stored in the storage 211-P is true (T) or false (F) (step S217).
  • the processing part 212A-P performs processing according to whether A 1P (n) corresponding to the meta information A stored in the storage 211-P is true (T) or false (F) (step S220).
  • the processing part 212A-P performs processing according to whether B 0P (n) corresponding to the meta information B stored in the storage 211-P is true (T) or false (F) (step S223).
  • the processing part 212A-P performs processing according to whether B 1P (n) corresponding to the meta information B stored in the storage 211-P is true (T) or false (F) (step S226).
  • the operation part 212-P outputs C 0P , C 1P , C 2P .
  • C 0P , C 1P , C 2P are meta information about secret share values of an operation result ⁇ n ⁇ 0,..., N-1 ⁇ a(n)b(n).
  • c 0P and c 1P are secret share values of the operation result ⁇ n ⁇ 0,...,N-1 ⁇ a(n)b(n).
  • the present embodiment it is possible to reduce the number of times of transmission/reception of values among the secret computation apparatuses 21-P according to values indicated by meta information A and B. Further, in the case where operation of a value that is not required to be transmitted or received any more can be omitted, the amount of operation can be also reduced. Furthermore, in the case where the amount of operation using the meta information is smaller than the amount of operation using shares also, it is possible to reduce the amount of operation.
  • the present invention is not limited to the above embodiments.
  • the case of performing multiplication or product-sum operation by secret computation is illustrated.
  • the present invention may be applied to any scheme if the scheme is such that values are transferred among a plurality of secret computation apparatuses, and each secret computation apparatus performs secret computation using values received from the other secret computation apparatuses.
  • each operation described above may be operation on a finite field, operation on an extension field, operation on a ring, or operation on other algebraic systems.
  • processing content of functions each apparatus should have is written by a program.
  • the program in which the processing content is written can be recorded in a computer-readable recording medium.
  • An example of the computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory and the like.
  • Distribution of the program is performed, for example, by sale, transfer, lending and the like of a portable recording program such as a DVD and a CD-ROM in which the program is recorded. Furthermore, a configuration is also possible in which the program is stored in a storage device of a server computer, and the program is distributed by transferring the program from the server computer to other computers via a network.
  • a computer that executes such a program first stores the program recorded in a portable recording medium or the program transferred from a server computer into its storage device once. At the time of executing a process, the computer reads the program stored in its storage device and executes the process in accordance with the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and executes the process in accordance with the program. Furthermore, it is also possible to, each time a program is transferred from the server computer to the computer, execute a process in accordance with the received program.
  • a configuration is also possible in which, without transferring the program from the server computer to the computer, the process described above is executed by a so-called ASP (Application Service Provider) type service in which processing functions are realized only by an instruction to execute the program and acquisition of a result.
  • ASP Application Service Provider
  • the processing functions of the present apparatus are realized by executing a predetermined program on a computer.
  • at least a part of the processing functions may be realized by hardware.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Image Processing (AREA)
EP16827784.6A 2015-07-22 2016-07-20 Secure computation device, method therefor, and program Active EP3327702B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015144550A JP6006842B1 (ja) 2015-07-22 2015-07-22 秘密計算装置、その方法、およびプログラム
PCT/JP2016/071214 WO2017014224A1 (ja) 2015-07-22 2016-07-20 秘密計算装置、その方法、およびプログラム

Publications (3)

Publication Number Publication Date
EP3327702A1 EP3327702A1 (en) 2018-05-30
EP3327702A4 EP3327702A4 (en) 2019-03-20
EP3327702B1 true EP3327702B1 (en) 2021-09-08

Family

ID=57123215

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16827784.6A Active EP3327702B1 (en) 2015-07-22 2016-07-20 Secure computation device, method therefor, and program

Country Status (5)

Country Link
US (1) US10748454B2 (zh)
EP (1) EP3327702B1 (zh)
JP (1) JP6006842B1 (zh)
CN (1) CN107851403B (zh)
WO (1) WO2017014224A1 (zh)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11042358B2 (en) * 2016-08-18 2021-06-22 Nec Corporation Secure computation system, secure computation method, secure computation apparatus, distribution information generation apparatus, and methods and programs therefor
AU2018295722B2 (en) * 2017-07-05 2020-11-19 Nippon Telegraph And Telephone Corporation Secure computation system, secure computation apparatus, secure computation method, program, and recording medium
EP3484093A1 (en) * 2017-11-10 2019-05-15 Koninklijke Philips N.V. A computation device and method
CN112805768B (zh) * 2018-10-04 2023-08-04 日本电信电话株式会社 秘密s型函数计算系统及其方法、秘密逻辑回归计算系统及其方法、秘密s型函数计算装置、秘密逻辑回归计算装置、程序
CN110457936B (zh) * 2019-07-01 2020-08-14 阿里巴巴集团控股有限公司 数据交互方法、装置和电子设备
AU2020472388B2 (en) * 2020-10-16 2024-02-15 Nippon Telegraph And Telephone Corporation Secure computation system, secure computation apparatus, secure computation method, and program

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009093603A1 (ja) * 2008-01-21 2009-07-30 Nippon Telegraph And Telephone Corporation 秘密計算システム
WO2012102203A1 (ja) * 2011-01-24 2012-08-02 日本電信電話株式会社 秘匿積和計算方法、秘匿積和計算システム、計算装置、及びそれらのプログラム
JP5492241B2 (ja) * 2012-03-28 2014-05-14 株式会社東芝 秘匿計算システム、集計装置及び集計結果復号プログラム
EP2966802A1 (en) * 2014-07-07 2016-01-13 Thomson Licensing Method for ciphering and deciphering digital data, based on an identity, in a multi-authorities context
US10490107B2 (en) * 2014-09-19 2019-11-26 Nec Corporation Secret calculation device, method, recording medium, and secret calculation system
EP3218800B1 (en) * 2014-11-12 2023-06-07 David CEREZO SANCHEZ Secure multiparty computation on spreadsheets
CN107454975B (zh) * 2015-04-07 2020-11-27 三菱电机株式会社 加密系统和密钥生成装置
JP6493522B2 (ja) * 2015-05-07 2019-04-03 日本電気株式会社 秘密計算データ利用システムと方法と装置並びにプログラム

Also Published As

Publication number Publication date
CN107851403B (zh) 2021-05-07
JP2017026788A (ja) 2017-02-02
WO2017014224A1 (ja) 2017-01-26
JP6006842B1 (ja) 2016-10-12
CN107851403A (zh) 2018-03-27
US10748454B2 (en) 2020-08-18
US20180218650A1 (en) 2018-08-02
EP3327702A1 (en) 2018-05-30
EP3327702A4 (en) 2019-03-20

Similar Documents

Publication Publication Date Title
EP3327702B1 (en) Secure computation device, method therefor, and program
EP3330880B1 (en) Secure computation system, secure computation device, secure computation method, and program
US11487969B2 (en) Apparatuses, computer program products, and computer-implemented methods for privacy-preserving federated learning
US20180205707A1 (en) Computing a global sum that preserves privacy of parties in a multi-party environment
US9589151B2 (en) Techniques and architecture for anonymizing user data
US8566578B1 (en) Method and system for ensuring compliance in public clouds using fine-grained data ownership based encryption
US20200382273A1 (en) Privacy preserving oracle
CN112990276B (zh) 基于自组织集群的联邦学习方法、装置、设备及存储介质
CN111753324B (zh) 私有数据的处理方法、计算方法及所适用的设备
JP6556659B2 (ja) ニューラルネットワークシステム、シェア計算装置、ニューラルネットワークの学習方法、プログラム
CN103518200A (zh) 确定网络位置的唯一访问者
US20200074110A1 (en) Sampling from a remote dataset with a private criterion
CN114401239A (zh) 元数据传输方法、装置、计算机设备和存储介质
US12058270B2 (en) Data protection on distributed data storage (DDS) protection networks
Al-Kuwari Privacy-preserving AI in healthcare
EP4393111A1 (en) Secure computation using multi-party computation and a trusted execution environment
Diadia et al. Dematerialization of Public Procurement Approach Based on Hyperledger Fabric Blockchain using OCDS
CN111988129B (zh) 影响力最大化数据集处理方法、装置和系统
US11962562B2 (en) Anonymous message board server verification
Dong et al. Toward a More Accurate Accrual to Clinical Trials: Joint Cohort Discovery Using Bloom Filters and Homomorphic Encryption
WO2023188258A1 (ja) 計算装置、計算方法、およびプログラム
US10715615B1 (en) Dynamic content distribution system and associated methods
WO2023188256A1 (ja) モデル学習装置、秘密連合学習装置、それらの方法、およびプログラム
Ceng et al. Hybrid extragradient method with regularization for convex minimization, generalized mixed equilibrium, variational inequality and fixed point problems
Bhattacharya et al. A Case for Splitting a File for Data Placement in a Distributed Scientific Workflow

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180222

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20190218

RIC1 Information provided on ipc code assigned before grant

Ipc: G09C 1/00 20060101AFI20190212BHEP

Ipc: H04L 9/00 20060101ALN20190212BHEP

Ipc: H04L 9/12 20060101ALI20190212BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20191023

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

RIC1 Information provided on ipc code assigned before grant

Ipc: G09C 1/00 20060101AFI20200828BHEP

Ipc: H04L 9/12 20060101ALI20200828BHEP

Ipc: H04L 9/00 20060101ALN20200828BHEP

INTG Intention to grant announced

Effective date: 20200916

GRAJ Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted

Free format text: ORIGINAL CODE: EPIDOSDIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTC Intention to grant announced (deleted)
RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/12 20060101ALI20210128BHEP

Ipc: G09C 1/00 20060101AFI20210128BHEP

Ipc: H04L 9/00 20060101ALN20210128BHEP

INTG Intention to grant announced

Effective date: 20210209

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NIPPON TELEGRAPH AND TELEPHONE CORPORATION

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1429297

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210915

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016063524

Country of ref document: DE

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20211208

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20211208

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1429297

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20211209

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220108

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20220110

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602016063524

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

26N No opposition filed

Effective date: 20220609

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20220731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220720

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220731

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220720

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: IT

Payment date: 20230724

Year of fee payment: 8

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20160720

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210908

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20240719

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20240725

Year of fee payment: 9

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20240730

Year of fee payment: 9